Monday, January 5, 2015

DMVPN - phase four (IKEv2/FlexVPN)

When Cisco introduced the new IKE (IKEv2) and the new unified
configuration for all types of VPN (excluding GET VPN), they also
updated the DMVPN. The new version (phase 4 - but I’m not sure if it is
official name) spoke-to-spoke has changed many things. There is no more
point-to-multipoint tunnels. For spoke-to-hub connection you have to
configure a tunnel interface (for each hub in case you have more than
one) on your spoke routers. For spoke-to-spoke communication you need to
create a virtual-template and every time the new connection will be
built, based on this template, the new, dynamic interface will be
created.

In my configuration I will use as much default settings as it is possible. Let’s start with the hub configuration.
I enable following ikev2 settings on all routers (hub and spoke):

Once I will have an access to routers with the new IOS I will update the post with the 'redirection’ feature. The rest of functionality works fine. Spokes (via tun0) can set up connection with their hub (via Virtual-Access interface):

r1#sh ip int bInterface IP-Address OK?MethodStatusProtocolFastEthernet0/05.5.5.1 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
FastEthernet1/0 unassigned YES NVRAM administratively down down
FastEthernet1/1 unassigned YES NVRAM administratively down down
Loopback0100.11.11.11 YES NVRAM up up
Loopback1010.0.0.1 YES NVRAM up up
Virtual-Access110.0.0.1 YES unset up up
Virtual-Access210.0.0.1 YES unset up up
Virtual-Template110.0.0.1 YES unset up down
r1#

The first virtual interface - Virtual-Access1 - has been created for the spoke1 (6.6.6.1):